Convalesco

I like to keep things secure. I have a few monitoring applications running on my OSX Tiger server¹. After a little search for a nice IDS, I bypassed the notorious AIDE, for Samhain. I’ve been watching this project since 2007 but never actually used it.

Since MacPorts do not have a port for this, I created a custom directory and made the installation manually. Everything went smoothly, it has passed some time I can’t recall if I needed extra packages, I think not.

Lightly configuring samhainrc, in order to get a first understanding of the program, I’ve changed the directories accordingly to match OSX’s needs and I start running the program. At this point note that my default shell is zsh.

After a couple of days I tried to log in. I noticed – yes, I’m a genius – that the prompt made more than 20 seconds to show up after the motd was displayed. Then I’ve got a broken library message to which zsh relies on, so in the second terminal window I was not able to get a shell.

Since I’m using the MacPorts zsh – yes I know it’s a dangerous thing to use a shell that it’s not sitting at /bin/ and an upgrade could blow you out - I thought hey, that’s the problem. I changed to /bin/zsh. The problem persisted. Then I switched to bash and everything was fine.

At the time I thought about switching shell, it had already passed 30 minutes since I woke up – Sunday morning – so I’ve start thinking!!! Amazing things happen when you start to use your brain, you can try it! I’ve took a look at the logs.

The buffer was full of the following message:

HFS: /rsrc paths are deprecated (..namedfork/rsrc)

Actually – after a google search I’ve found out that – OSX command line utilities use resource forks. Apple has build everything with an additional (-E) extended attribute. So when you use the macports version of rsync, syslog turns crazy and begins to flood the system with error messages. At this point you have to two options. Or switch to the default system-wide rsync which sits at /usr/bin/rsync or mute syslog.

Since muting syslog does not seem to be the right choice I’ve decided to just rename the macports rsync and see how it goes. Nothing changed. At that point, I turned into a wizard and decided(!) to take a look at /var/log/syslog - I know it takes at least 20 years of expertise to realise that you need to look there … FIRST – to realise that samhain was causing the troubles.

Apparently samhain uses some kind of rsync-like build in tool. It does not use the external command apparently. So if you (ever) decide to use a new rsync version or samhain on Tiger, think again.

Another interesting hint regarding rsync backups is that rsync does not copy macosx ACL’s, just the files and the meta that comes with them.

1. It’s not running the server edition, just the desktop Tiger 10.4.11 system acting as a home server [↩]